There is a lot of discussion, enthusiasm, and momentum surrounding how government agencies are adopting specialized editions of Microsoft Office 365 for government.
At the Government Tech Summit that occured in February, 2019 in Washington, DC, Microsoft announced further safeguards and protocols that mirror the National Institute of Standards and Technology’s (NIST’s) cybersecurity framework designed specifically for government agencies.
This is in an effort to meet and exceed compliance and security standards of the U.S. government, state, local, and contractors holding or processing sensitive information. Only approved agencies and contractors are eligible to use these specialized versions of Office 365.
Many government organizations in Florida handle Criminal Justice Information (CJI). Therefore, they must comply with Florida Department of Law Enforcement (FDLE) regulations. Organizations that have adopted Microsoft Office 365 and other cloud services address these CJI requirements with strong organizational policies.
In a survey we conducted last fall, we found that over 1/3 of Florida cities and counties have already adopted both public and government editions of Microsoft Office 365. With the recent safety advancements in the government editions, we are expecting additional adoption across the state of Florida.
Below is a synopsis of the latest information surrounding Microsoft Office 365 and how it is being used by government agencies in Florida. I thought you might find this information helpful as you make continue to make future business plans using Microsoft Office 365! -Ingram Leedy, CEO
Executive Briefing - State of Microsoft Office 365 and Its Use in Florida Government
The purpose of this document is to provide a briefing on state of Microsoft Office 365 and its use in Florida Government.
In typical U.S. cities and counties, law enforcement and other criminal justice agencies account for as much as half of the government workforce. As more cities, counties, and courts are pursuing the enhanced capabilities and cost savings that Office 365 provides, getting law enforcement on board with this move is critical.
Office 365 for Government vs Office 365 Commercial/Public Editions
Most IT professionals working with government agencies are already familiar with Office 365 and know how transformative it can be. To exclusively address the security requirements of U.S. federal, state, and local government entities, Microsoft created Office 365 US Government Community Cloud (better known as “Office 365 GCC”). These editions of Office 365 are designed for the unique needs of government organizations.
Office 365 GCC provides the same features and capabilities of Office 365 Commercial/Public. However, they exist in a segmented government cloud community that enables organizations to achieve a higher level of compliance and meet tighter security standards.
In addition, Office 365 GCC High and Department of Defense (DoD) environments deliver compliance with DoD Security Requirements Guidelines, Defense Federal Acquisition Regulations Supplement (DFARS), and International Traffic in Arms Regulations (ITAR).
Why Use Office 365 for Government?
Microsoft Office Government plans feature an array of capabilities that help government organizations optimize processes and improve day-to-day efficiency. Here are three major benefits of using Office 365 for Government:
- Enhanced communication. Government employees can use Office 365 to hold secure multi-party HD online meetings with screen sharing, note taking, and annotation capabilities. With just a click, they can start an IM, conference call, or video chat, making collaboration tools easily accessible.
- Business mobility. For government employees that are constantly working from various locations or traveling, mobility is essential for success. Office 365 Government plans allow users to use Office applications securely and from any device. This enables them to work efficiently and effectively no matter where they are working from.
- Improved security. With Office 365 Government plans, your data will be segregated from commercial data and stored separately. Access is restricted to only screened Microsoft personnel, meaning your sensitive information won’t fall into the wrong hands.
Law Enforcement and CJIS Compliance
The Criminal Justice Information Services (CJIS) division of the U.S. Federal Bureau of Investigation (FBI) gives state, local, and federal law enforcement and criminal justice agencies access to criminal justice information (CJI). This can include information such as fingerprint records and criminal histories.
Law enforcement and other government agencies in the United States must ensure that their use of services for the transmission, storage, or processing of CJI complies with the CJIS Security Policy. This establishes minimum security requirements and controls to safeguard CJI so confidential information doesn’t end up in the wrong hands.
The CJIS Security Policy integrates presidential and FBI directives, federal laws, and the criminal justice community’s Advisory Policy Board decisions, along with guidance from the National Institute of Standards and Technology (NIST). The policy is periodically updated to reflect evolving security requirements as technology and standards change.
The CJIS Security Policy defines 13 areas that private contractors, such as cloud service providers, must evaluate to determine if their use of cloud services is consistent with CJIS requirements. These areas correspond closely to NIST Special Publication 800-53, which is also the basis for the Federal Risk and Authorization Management Program (FedRAMP)—a program under which Microsoft has been certified for its Government Cloud offerings.
In addition, all private contractors who process CJI must sign the CJIS Security Addendum, a uniform agreement approved by the US Attorney General that helps ensure the security and confidentiality of CJI required by the Security Policy. It also commits the contractor to maintain a security program consistent with federal and state laws, regulations, and standards, and limits the use of CJI to the purposes for which a government agency provided it.
Microsoft has and will sign the CJIS Security Addendum in states with CJIS Information Agreements. These agreements inform state law enforcement authorities responsible for compliance with CJIS Security Policy how Microsoft's cloud security controls help protect the full lifecycle of data and ensure appropriate background screening of operating personnel with access to CJI. Microsoft continues to work with state governments to enter into CJIS Information Agreements.
Microsoft has assessed the operational policies and procedures of Microsoft Azure Government, Microsoft Office 365 U.S. Government, and Microsoft Dynamics 365 U.S. Government. They will attest to their ability in the applicable services agreements to meet FBI requirements for the use of in-scope services.
What About Florida?
The Florida Department of Law Enforcement (FDLE), the State of Florida's CJIS systems agency, recently completed an audit of Microsoft controls applicable to the CJIS Security Policy. The audit results are available for all law enforcement agencies in Florida to meet their CJIS regulatory requirements.
The Miami Police Department has also committed to executing the CJIS Personnel Security Requirements for Microsoft. Another critical requirement of the CJIS Security Policy is the need for agencies to adjudicate internal and vendor employees with potential access to Criminal Justice Information (CJI).
As stated in Microsoft’s blog:
“Through the Lead Agency process in Florida, the Miami Police Department will be verifying the identification and performing national fingerprint-based record checks for applicable Microsoft employees per section 5.12.1 of the Policy. As the Lead Agency of Florida, other law enforcement agencies in Florida will be able to leverage the efforts of Miami Police Department for their CJIS compliance requirements.
In addition, the City of Miami Police Department will be validating other security requirements such as signed CJIS Security Addendums, CJIS Security Training, and other important regulations in the Policy.”
The agreement with Florida will bring the total number of states in which Microsoft has contractually committed to the applicable CJIS controls and signed the CJIS Security Addendum to 33. This represents a whopping 2/3 of the United States and over 80% of sworn officers in the country.
Do I Need to Wait to Use Office 365 GCC in my Organization?
The short answer? No.
Your organization can begin using Microsoft Office 365 today. However, it is vital that you do not put criminal justice information (CJI) in Microsoft Office 365 until approved by the Florida Department of Law Enforcement (FDLE). Also, be sure to have a strong policy in place that restricts the use of CJI to authorized systems.
Once FDLE and Microsoft sign their CJIS Information Agreement, the use of Microsoft Office 365 GCC and sharing of CJI will be expanded.
How Do I Get Started Using Office 365 in my Government Organization?
We can help!
We’ll keep your business up-to-date with the latest news and information it needs to operate efficiently and effectively. With years of experience, certifications, and specialized partnerships with government and Microsoft under our belt, Protected Trust can provide:
- Established best practices and guidance
- Flexible pricing and plans
- Assistance with validation and eligibility
- CJIS Security Addendum attestation
- Deployment and implementation assistance
- On-going support
- Continuous review of your compliance and security profile
Our entire team is ready to serve you. If you have questions, need help, or would like to learn more about the benefits of Office 365 for government employees, simply schedule an introduction with us.
In the meantime, be sure to check out our blog, as we share any relevant news or updates as they occur.